diff options
| author | Andreas Gohr <gohr@cosmocode.de> | 2011-10-28 14:24:56 +0200 |
|---|---|---|
| committer | Andreas Gohr <gohr@cosmocode.de> | 2011-10-31 16:02:26 +0100 |
| commit | abb56b33e0993b3c6a7f114fbd074cc59626c394 (patch) | |
| tree | f88e486b61cc32008d604067f4601ab7df14c5fc | |
| parent | 222298bcee7f8e8fd98bb6fc1bcfb821ac1e55cd (diff) | |
| download | rpg-abb56b33e0993b3c6a7f114fbd074cc59626c394.tar.gz rpg-abb56b33e0993b3c6a7f114fbd074cc59626c394.tar.bz2 | |
Check password expiry times in Active Directory backend
When a user logs in, the password expiry time is checked and compared to
the $conf['auth']['ad']['expirywarn'] setting (in days). If the password
is about to expire in the specified timeframe, a warning is issued on
login.
This patch adds a new method to the adLDAP class for querying domain
parameters.
| -rw-r--r-- | inc/adLDAP.php | 20 | ||||
| -rw-r--r-- | inc/auth/ad.class.php | 28 |
2 files changed, 43 insertions, 5 deletions
diff --git a/inc/adLDAP.php b/inc/adLDAP.php index a64096b85..24be6e475 100644 --- a/inc/adLDAP.php +++ b/inc/adLDAP.php @@ -1021,6 +1021,26 @@ class adLDAP { } /** + * Return info about the domain itself + * + * @authot Andreas Gohr <gohr@cosmocode.de> + * @param array $fields The fields to query + * @return array + */ + public function domain_info($fields){ + if (!$this->_bind){ return (false); } + + $sr = ldap_read($this->_conn, $this->_base_dn, 'objectclass=*', $fields); + if (!$sr) { + return false; + } + $info = ldap_get_entries($this->_conn, $sr); + if(count($info)) return $info[0]; + + return false; + } + + /** * Determine a user's password expiry date * * @param string $username The username to query diff --git a/inc/auth/ad.class.php b/inc/auth/ad.class.php index 1fddad243..6b022d217 100644 --- a/inc/auth/ad.class.php +++ b/inc/auth/ad.class.php @@ -26,6 +26,8 @@ * $conf['auth']['ad']['use_ssl'] = 1; * $conf['auth']['ad']['use_tls'] = 1; * $conf['auth']['ad']['debug'] = 1; + * // warn user about expiring password in this mayn days in advance: + * $conf['auth']['ad']['expirywarn'] = 5; * * // get additional information to the userinfo array * // add a list of comma separated ldap contact fields. @@ -148,7 +150,7 @@ class auth_ad extends auth_basic { global $conf; if(!$this->_init()) return false; - $fields = array('mail','displayname','samaccountname'); + $fields = array('mail','displayname','samaccountname','lastpwd','pwdlastset','useraccountcontrol'); // add additional fields to read $fields = array_merge($fields, $this->cnf['additional']); @@ -157,10 +159,14 @@ class auth_ad extends auth_basic { //get info for given user $result = $this->adldap->user_info($user, $fields); //general user info - $info['name'] = $result[0]['displayname'][0]; - $info['mail'] = $result[0]['mail'][0]; - $info['uid'] = $result[0]['samaccountname'][0]; - $info['dn'] = $result[0]['dn']; + $info['name'] = $result[0]['displayname'][0]; + $info['mail'] = $result[0]['mail'][0]; + $info['uid'] = $result[0]['samaccountname'][0]; + $info['dn'] = $result[0]['dn']; + //last password set (Windows counts from January 1st 1601) + $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; + //will it expire? + $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD // additional information foreach ($this->cnf['additional'] as $field) { @@ -183,6 +189,18 @@ class auth_ad extends auth_basic { $info['grps'][] = $conf['defaultgroup']; } + // password will expire, let's warn the current user + if($_SERVER['REMOTE_USER'] == $user && $info['expires'] && $this->cnf['expirywarn']){ + $result = $this->adldap->domain_info(array('maxpwdage')); // maximum pass age + $maxage = -1 * $result['maxpwdage'][0] / 10000000; // negative 100 nanosecs + $timeleft = $maxage - (time() - $info['lastpwd']); + $timeleft = round($timeleft/(24*60*60)); + + if($timeleft <= $this->cnf['expirywarn']){ + msg('Your password will expire in '.$timeleft.' days. You should change it.'); + } + } + return $info; } |